EP3286683A1 - Système et procédé pour surveiller l'intégrité d'un composant délivré par un système serveur à un système client - Google Patents

Système et procédé pour surveiller l'intégrité d'un composant délivré par un système serveur à un système client

Info

Publication number
EP3286683A1
EP3286683A1 EP16721076.4A EP16721076A EP3286683A1 EP 3286683 A1 EP3286683 A1 EP 3286683A1 EP 16721076 A EP16721076 A EP 16721076A EP 3286683 A1 EP3286683 A1 EP 3286683A1
Authority
EP
European Patent Office
Prior art keywords
sensor
component
integration
information
delivered
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP16721076.4A
Other languages
German (de)
English (en)
Inventor
Thomas Siebert
Karsten TELLMANN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
G DATA SOFTWARE AG
Original Assignee
G DATA SOFTWARE AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by G DATA SOFTWARE AG filed Critical G DATA SOFTWARE AG
Publication of EP3286683A1 publication Critical patent/EP3286683A1/fr
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the present invention relates to a system and a method for monitoring the integrity of a component delivered by a server system to a client system and processable and / or executable on the client system.
  • the component can be a website which is processed or executed on a web browser acting as a client system.
  • server-side components such as a web server, a software backend and a database connection of the web server, as well as client-side components that are executed in the web browser of the actual customer.
  • client-side components are in the context of the representation of a Transfer web page from the web server to the customer's browser, such as HTML or JavaScript code.
  • the component transmitted according to the invention is such a client-side component.
  • components of the actual browser and its extensions, such as plug-ins, are not considered further.
  • client-side technologies have become the focus of attackers.
  • Malicious software or manual attackers intentionally attack the client-side components in the customer's browser, for example, to steal sensitive data. This is done by manipulating the original client components to modify or monitor the actual behavior of these components. Since this type of manipulation only takes place on the client side, server-side protection technologies can not recognize them.
  • the object of the present invention is therefore to provide a system for monitoring the integrity of a component delivered by a server system to a client system and processable and / or executable on the client system, i. H. a client-side component according to the invention to provide.
  • the present invention comprises a system for monitoring the integrity of a component delivered by a server system to a client system and processable and / or executable on the client system, which comprises an integration system and a sensor.
  • the integration system integrates the sensor into the component delivered by the server system to the client system.
  • the sensor is configured to be executed during processing and / or execution of the component and to detect modifications of the component.
  • the present invention thus provides a client-side protection technology which is executed during processing or execution of the client-side component and recognizes modifications of the component.
  • the integration system can be part of the server system or part of the client system or be made available by an intermediary proxy.
  • An integration of the integration system into the client system can take place in particular if there are several logical levels in the client system, whereby the integration of the sensor by the integration system takes place at a level above the expected attack.
  • the integration system can be connected upstream of the actual client system in the manner of a local proxy server in the client system.
  • the integration system preferably forms part of the server system or an intermediary proxy. This has the advantage that the service provider operating the server system can deliver the protection technology provided by the sensor without the customer having to act independently or even having any influence on it.
  • the integration system equips the sensor with information about the delivered state of the component and / or an identifier of the delivery process.
  • the information on the delivered state of the component allow the sensor to compare with the current state of the component and thus identification of modifications.
  • the identifier allows for communication of the sensor With other components of the system, an assignment of the report to a specific delivered component.
  • the senor can be integrated into the component or the sensor perform such actions that the sensor can not be removed by subsequent manipulations.
  • corresponding attributes of the sensor within the component can be set for this purpose.
  • the integration system obfuscates the sensor during integration or after integration. This is to prevent an attacker from detecting and removing the sensor within the component.
  • the integration system dynamically modifies the sensor for the integration. This is intended to reduce the detectability of the sensor within the component.
  • the integration system changes variable names and / or function names and / or the size of the sensor.
  • the position of the sensor within the component can be changed. Preferably, the change takes place for several and preferably each integration process different and / or random.
  • the integration system alters both the sensor and one or more components of the delivered component for the purpose of obfuscation.
  • the change in the other components of the delivered component also prevents easy detection of the sensor within the component.
  • the change takes place here differently and / or randomly in the case of several and preferably each integration process.
  • the integration system includes the sensor and / or one or more components of the delivered component in the context the integration of the sensor is encrypted.
  • the encrypted components only return their original meaning during the processing and / or execution of the component.
  • the entire program code of the delivered component can be encrypted after integration.
  • Such encryption protects against static analysis methods, since the original meaning of the individual constituents of the component results only when the component is processed or executed.
  • most malware only has static analysis and can not detect the sensor.
  • the system according to the invention may further comprise a reference proxy which alters references of the sensor and / or the delivered component prior to delivery of the component to the client system and / or addresses itself. This prevents the sensor from becoming recognizable by its references.
  • the references are references to external code and / or URLs.
  • the change and / or re-addressing of the references is preferably carried out differently and / or randomly in the case of several and preferably each delivered component.
  • the reference proxy is preferably designed such that it forwards the call to the original references when calling the modified and / or self-addressed references.
  • the reference proxy can store an association between the changed and / or self-addressed and the original references together with an identifier of the delivery process. If a corresponding call then follows, it is forwarded to the original reference on the basis of the stored assignment.
  • the reference proxy according to the invention can form part of the integration system. In this case, the reference proxy is preferably connected downstream of the actual integration and references all references in the component and the sensor integrated therein newly.
  • the senor when executed on the client system, it sends a report and / or detected modifications to another system.
  • a report and / or detected modifications to another system.
  • the senor transmits thereby modified or added elements of the component completely to the further system.
  • the sensor can send the complete component to the further system.
  • the other system has the opportunity to carry out a comprehensive analysis of the detected modifications or the component.
  • the report contains an identifier of the delivery process to which the report takes place. This allows the report and any modifications to be assigned to the corresponding component.
  • the sensor according to the invention can contain information about the delivered state of the component and compare it with the current state of the component. This allows the sensor to recognize in a particularly simple manner, a modification of the component which has taken place after delivery.
  • the information about the delivered state of the component may be structural information.
  • the senor recognizes modifications based on a document object model of the component.
  • a Document Object Model is particularly present in HTML documents and contains all the components of the HTML component. Based on the Document Object Model Therefore, modifications of the component are detected, and in particular modified and / or modified elements of the component are detected.
  • the senor can be configured such that the check is restricted to subregions of the delivered component.
  • a restriction to subareas of the delivered component prevents, for example, browser plug-ins occurring, unproblematic modifications in a non-critical portion of the delivered component lead to a report of a modification by the sensor.
  • the senor may have a filter function to exclude certain modifications.
  • a filtering function also prevents known, unproblematic modifications from being reported by the sensor.
  • the filter function can be implemented in the form of a white list of permissible modifications.
  • the system comprises an acceptance system, which receives information from the integration system and / or the sensor and preferably stores and / or forwards it.
  • the acceptance system can use the information to recognize whether the integration of the sensor and / or the execution of the sensor has occurred on the client system.
  • the acceptance system thus enables a monitoring of the proper functioning of the sensor and thus also serves to increase the safety.
  • the integration system is designed such that it sends a message to the acceptance system for each integration.
  • the message preferably includes an identifier of the delivery process.
  • the acceptance system thus receives information about all components supplied with an integrated sensor.
  • the acceptance system preferably stores the information received from the integration system and in particular an identifier for each delivery process. It is preferably provided that the acceptance system stores the information obtained from the integration system together with a time information. Alternatively or additionally, the information obtained by the integration system may already contain time information. The acceptance system therefore knows when a particular component has been delivered based on the stored information.
  • the senor sends a report to the acceptance system during its execution.
  • the report is preferably sent to the acceptance system regardless of whether a modification has been recognized or not. If no modification has been detected, it will be communicated via a corresponding report.
  • the report if a modification has been detected, the report preferably contains information about the identified modifications, and in particular, as described in more detail above, the complete modification or the complete modified component. Further preferably, the report comprises an identifier of the delivery process. As a result, the report within the acceptance system of the corresponding component can be assigned.
  • the acceptance system compares the information received from the sensor with stored information, in particular with the information that the acceptance system has received from the integration system.
  • the acceptance system matches an identifier of the delivery process received from the sensor with stored identifiers delivered by the integration unit.
  • the acceptance system interprets missing information or a missing report from a sensor as a modification or removal of the sensor.
  • missing information is preferably recognized on the basis of the stored time information. He- knows the acceptance system while a lack of information from a sensor and thus a modification, it preferably sends a message to either a downstream evaluation system, and / or to the server system.
  • the acceptance system interprets a missing report as a modification of the sensor, and preferably sends a corresponding message.
  • the system according to the invention comprises an evaluation system which evaluates the modifications detected by the sensor.
  • the system is designed such that the evaluation system completely receives modified or added elements of the component.
  • the evaluation system can also obtain the complete component. According to the invention, the evaluation system can thereby perform a detailed analysis of the modifications.
  • the evaluation system preferably receives the information about the identified modifications and in particular the modified elements or the modified component from the acceptance system.
  • the acceptance system generates a new evaluation task in the event that a report from the sensor reports a modification, and sends it to the evaluation system.
  • the type of evaluation of the modifications is initially not restricted. Preferably, the evaluation is carried out in several stages.
  • the evaluation is carried out at least also by static analysis methods, preferably by a plurality of different static analysis methods.
  • static analysis methods preferably by a plurality of different static analysis methods.
  • a comparison of the identified modifications with a blacklist and / or a whitelist, ie lists of already known, harmful or harmless modifications, can take place here.
  • an identification of unknown components, which are therefore not found on the blacklist, and on the whitelist, take place.
  • the analysis can be based on that in the component
  • the comparison with the blacklist can be done in a possible embodiment as a direct comparison, and / or as a comparison after a normalization, and / or as a similarity comparison.
  • dynamic analysis methods may also be used, in particular a simulation of the processing and / or execution of the component (sandboxing). Furthermore, the evaluation by machine learning method comes into question.
  • static analysis methods are preferred because they can be carried out much faster and require less effort than dynamic or machine learning methods.
  • the evaluation system calculates a risk value of the modified component.
  • This calculation of the risk value preferably takes place on the basis of an analysis and / or classification of the identified modifications.
  • the identified modifications are analyzed and / or classified, whereby each modification has a associated with the risk value. From the endangerment values of the individual identified modifications, the risk value of the modified component can be calculated as a whole. This results in an especially easy to implement assessment of the danger emanating from a modified component.
  • the evaluation system sends to the server system information on the risk of the modified component and in particular a risk value.
  • a risk value Preferably, an identifier of the delivery process is sent together with the information on the risk or the risk value, so that a corresponding assignment can be made on the part of the server system.
  • the server system is designed such that it initiates countermeasures on the basis of the information of the evaluation system.
  • the countermeasures preferably do not involve stopping the processing and / or execution of the modified component itself.
  • it is conceivable to suppress downstream processes such as an actual money transfer, a delivery of products or the like and / or to contact the customer.
  • the decision about countermeasures within the server system based on the information of the evaluation system and preferably based on further information in particular to the user behavior.
  • other factors such as, for example, a deviation of the detected behavior from a conventional user behavior can also be included in the decision whether and, if so, which countermeasures are taken.
  • the decision on countermeasures can be made both automated, as well as by a human decision maker to whom the corresponding information is made available by the server system.
  • the component is a web page.
  • the client system is a web browser.
  • the system according to the invention is therefore preferably used for securing a web page which is processed and / or executed by a web browser.
  • the integration of the sensor into the website according to the invention ensures that after the delivery of the website, manipulations taking place by the server system are detected.
  • the sensor is preferably a script which is integrated into the website. Integration into the website can also be done by integrating one or more references to external targets, which then contain the script.
  • the component delivered by the server system can provide one of the following services: a webmailer, a payment service, an online shop, and / or access to a social network.
  • a webmailer a payment service
  • an online shop a service that provides a payment service
  • a social network a service that provides a payment service.
  • sensitive data is exchanged, which is secured by the sensor according to the invention and its integration into the component against manipulation and tapping.
  • the present invention initially relates to the system just described for monitoring the integrity of a component delivered by a server system to a client system and processable and / or executable on the client system, which comprises at least the sensor according to the invention and an integration system according to the invention, and preferably also an acceptance system and / or or an evaluation system according to the present invention.
  • the present invention also relates to the individual components of the system according to the invention, and thus in particular to the inventive proper sensor, the integration system according to the invention, the acceptance system according to the invention and the evaluation system according to the invention.
  • the present invention thus encompasses, in particular, a sensor for a system as described above, wherein the sensor can be integrated into a component delivered by a server system to a client system and processable and / or executable on the client system and configured to be included in the system the processing and / or execution of the component is executed and detects modifications of the component.
  • the senor is preferably configured as has already been described in more detail above with regard to the system.
  • the senor can send a report and / or detected modifications to another system in its execution.
  • the sensor preferably transmits modified or added elements of the component completely to the further system, and / or, in the case of a modification, sends the complete component to the further system.
  • the report comprises an identifier of the delivery process.
  • the senor may contain information about the delivered state of the component, and compare it with the current state of the component. In particular, these are structural information. Furthermore, it can be provided that the sensor recognizes the modifications on the basis of a document object model of the component and / or that the sensor comprises a copy of the delivered document object model of the component.
  • the senor is configurable so that the review can be limited to portions of the delivered component.
  • the sensor may comprise a filter function to exclude certain modifications, in particular in the form of a whitelist.
  • the present invention further comprises an integration system for a system, as described in more detail above, wherein the integration system is configured such that it integrates a sensor into a component delivered by a server system to a client system and processable and / or executable on the client system.
  • the integration system is preferably configured as has already been described in more detail above with regard to the overall system.
  • the integration system equips the sensor with information about the delivered state of the component and / or an identifier of the delivery process.
  • the integration system can integrate the sensor in the component so that the sensor can not be removed by subsequent manipulations.
  • the integration system obscures the sensor during the integration or after the integration.
  • the integration system dynamically modifies the sensor for the integration.
  • the integration system preferably changes variable names and / or function names and / or the position of the sensor in the component and / or the size of the sensor.
  • the change takes place for several and preferably each integration process different and / or random.
  • the integration system alters both the sensor and one or more components of the delivered component for the purpose of obfuscation.
  • the change takes place differently and / or randomly in the case of several and preferably each integration process.
  • the integration system may include the sensor and / or one or more components of the delivered component, and preferably the entire program. encode the code of the delivered component as part of the integration of the sensor.
  • the encrypted components preferably only return their original meaning during the processing and / or execution of the component.
  • the integration system sends a message to an acceptance system for each integration, the message preferably comprising an identifier of the delivery process.
  • the integration system comprises a reference proxy which alters references of the sensor and / or the delivered component to external destinations prior to delivery of the component to the client system and / or addresses itself.
  • the change and / or addressing takes place differently and / or randomly in the case of several and preferably each delivered component.
  • the reference proxy forwards the call to the original references when the changed and / or addressed references are called.
  • the reference proxy can store an association between the changed and / or self-addressed and the original references together with an identifier for the respective delivery process.
  • the present invention further includes an acceptance system for a system as set forth above, wherein the acceptance system is configured to receive, store and / or forward information from the integration system and / or the sensor.
  • the acceptance system is preferably designed as already explained above with regard to the overall system.
  • the acceptance system can recognize by the information whether the integration of the sensor and / or whether the sensor has been executed on the client system.
  • the acceptance system preferably stores the information received from the integration system and in particular an identifier for each delivery process.
  • the acceptance system preferably stores the information obtained from the integration system together with time information, and / or the information obtained from the integration system already contains time information which is stored.
  • the acceptance system preferably compensates the information obtained from the sensor with stored information.
  • the acceptance system compensates for an identifier of the delivery process received from the sensor with stored identifiers delivered by the integration unit.
  • the acceptance system interprets missing information from a sensor as a modification of the sensor. Missing information is preferably detected based on the stored time information.
  • the acceptance system preferably sends an evaluation job to an evaluation system.
  • the present invention further comprises an evaluation system for a system, as described in more detail above, wherein the evaluation system is designed such that it evaluates the modifications detected by the sensor.
  • the evaluation system is preferably designed as already explained above with regard to the overall system.
  • the evaluation system completely receives and evaluates modified or added elements of the component, and / or or in the case of a modification receives and / or evaluates the complete component.
  • the evaluation can be done in several stages.
  • the evaluation can be carried out in particular by static analysis methods, in particular by comparison with a blacklist and / or a whitelist and / or an identification of unknown components and / or by means of references and / or signatures and / or word lists.
  • the comparison with the blacklist may be performed as a direct comparison and / or as a comparison after normalization and / or as a similarity comparison.
  • it can be checked whether there are new or changed references to a destination outside of a predefined area, in particular outside the server system.
  • the evaluation can also be carried out by dynamic analysis methods, in particular by the simulation of the processing and / or execution of the component, and / or by machine learning methods.
  • the evaluation system preferably calculates a risk value of the modified component. In particular, this is done based on an analysis and / or classification of the detected modifications. In particular, it can be provided that the detected modifications are analyzed and / or classified and each modification is assigned a hazard value, from which the risk value of the modified component is then calculated in its entirety. Furthermore, it can be provided that the evaluation system sends to the server system information on the risk of the modified component and in particular a risk value.
  • the acceptance system according to the invention and the evaluation system according to the invention are taken in each case and independently of one another the subject of the present invention. Furthermore, the combination of An acceptance system according to the invention and an evaluation system according to the invention are the subject of the present invention.
  • All components of the system according to the invention preferably operate automatically and thus implement the system according to the invention or carry out the method according to the invention automatically.
  • the individual components are provided by software and / or hardware.
  • the present invention further comprises a corresponding method.
  • the present invention encompasses a method for monitoring the integrity of a component delivered by a server system and a client system and processable and / or executable on the client system.
  • the sensor is integrated into the component delivered by the server system to the client system, wherein the sensor is executed during the processing and / or execution of the component and detects modifications of the component.
  • the process according to the invention preferably takes place in the same way as has already been described in more detail above with regard to the system according to the invention.
  • the method according to the invention can be carried out using a system according to the invention and / or using one of the components of such a system described above.
  • Fig. 1 a first embodiment of a system according to the invention and a method according to the invention and 2 shows a second embodiment of a system according to the invention and of a method according to the invention.
  • FIG. 1 and 2 two embodiments of a system according to the invention are shown. The embodiments represent at the same time embodiments of the components of the system according to the invention, as well as the method according to the invention.
  • Both exemplary embodiments each show a system for monitoring the integrity of a component 50 delivered by a server system 10 to a client system 20 and processable and / or executable on the client system 20, wherein the component in the exemplary embodiment is a web page which acts as a web server operating server system 10 is transmitted to a working as a client system 20 browser.
  • the communication between the web server 10 and the browser 20 takes place via the Internet, which is shown schematically as a cloud 30.
  • Both the exemplary embodiment of the system according to the invention shown in FIG. 1 and in FIG. 2 initially comprise the following components:
  • An integration system 40 which integrates a sensor 60 into an existing web page 50 transmitted from the web server 10 to the browser 20.
  • the integration can be done by the web server 10, or by an intermediary proxy, or on the client side.
  • a sensor 60 which can be integrated into the web page 50 and there identify modifications in the execution of the website.
  • the sensor can be implemented via JavaScript, for example.
  • An acceptance system 70 referred to in the exemplary embodiment as "report acceptance", to which the sensor component 60 determines web page changes. gene, where accepting system 70 accepts and stores the reports.
  • An evaluation system 80 which examines and classifies the data stored by the acceptance system 70 according to attack patterns.
  • the service operator can take appropriate measures. For example, the operator of a web shop can stop the delivery of ordered goods if the customer's account has possibly been stolen. It can be contacted with affected customers and, if appropriate, the account of the customer be temporarily blocked.
  • FIG. 2 differs from the embodiment shown in FIG. 1 by a further, additional component:
  • a reference proxy 90 which modifies references in the original elements of the web page 50 delivered by the web server 10 and in the elements of the sensor 60 and specifies the reference proxy as a new destination. When invoking such a reference, the reference proxy 90 forwards the call to the original destination. Preferably, the new references will be given randomly.
  • the purpose of the reference proxy is to obscure references to prevent identification of references from the sensor, particularly references to the acceptance system 70 of the sensor.
  • the reference proxy 90 represents an additional component added to the exemplary embodiment shown in FIG. 1. Otherwise, the exemplary embodiment shown in FIG. 2 corresponds to the exemplary embodiment shown in FIG.
  • the communication between the individual components takes place in the first exemplary embodiment in FIG. 1 as follows:
  • the customer 20 requests the website of the service provider 10.
  • the web server 10 of the service provider delivers the requested web page.
  • the sensor 60 is integrated into the website 50 in the integration system 40.
  • the original web page 50 including the integrated sensor 60 is transmitted to the customer.
  • the senor 60 determines modifications to the web page, and transmits a report with recognized web page modifications to the acceptance system 70.
  • the acceptance system 70 notifies the evaluation system 80 that a new analysis job is ready.
  • the customer 20 requests the website of the service provider 10.
  • the web server 10 of the service provider delivers the requested web page 50.
  • the integration system 40 integrates the sensor 60 into the web page 50. Upon successful integration of the sensor, this is signaled to the acceptance system 70. 3b.
  • the reference proxy 90 obfuscates the references in the original web page 50, including the integrated sensor 60, and delivers them to the customer 20 with obfuscated references.
  • the sensor 60 executes upon execution of the web page 50 and determines web page modifications which are transmitted via the reference proxy 90 to the acceptance system 70.
  • the acceptance system 70 notifies the evaluation system 80 that a new analysis job is ready.
  • the integration system 40 integrates the sensor into the web page 50 delivered by the server system 10.
  • the sensor is implemented in the exemplary embodiment as software.
  • the sensor is dynamically modified during or after the integration for obfuscation purposes.
  • the integration system 40 obscures the sensor's code by replacing all variable names and function names with new random values on a regular basis or for each version delivered.
  • the position of the sensor within the website can be changed regularly or even with each integration.
  • the order of references within the web page containing the sensor can be randomized to make it difficult to distinguish references to the original web page code and sensor code.
  • An alternative or additional way to obscure is to dynamically modify both the sensor and the rest of the website. For example, all the elements of the website including the sensor or the elements of the sensor can be given the same or randomly distributed lengths by adding padding. Alternatively or additionally, the web page or code contained therein can be encrypted, so that the web page or the code is then restored to its original meaning at runtime.
  • the concealment of the sensor or the entire component including the sensor serves to protect against static analysis methods, as they can no longer identify the sensor due to the obfuscation, so that removal of the sensor is impossible.
  • the script elements that comprise the sensor can be provided with attributes within the web page, which protects them from subsequent modifications.
  • the attributes can be specified in the so-called Document Object Model (DOM).
  • DOM Document Object Model
  • the integration connects the sensor to the website in such a way that it can not be removed afterwards. This is partly because the distinction between the sensor and the original components of the website in retrospect is no longer possible. A removal of the sensor by accidentally turning off individual elements of the web page is also hardly possible, since a random off elements with high security would lead to the fact that also originally delivered scripts are deleted, which are essential for the running of the website. The sensor is so much entangled with the original scripts that a high reliability runability is only given together with the sensor.
  • the integration system 40 sends a heartbeat 70 to the acceptance system.
  • the heartbeat includes an identifier for the delivery process. This identifier is also integrated into the sensor so that it can use the identifier for the assignment of reports. Furthermore, the sensor is equipped with information on the structure of the delivered web page, for example, with a copy of the Document Object Model. sensor
  • the sensor 60 is implemented as software that integrates with the delivered web page 50 and also executes upon execution of the web page on the client system 20.
  • the sensor can be implemented, for example, via JavaScript.
  • the sensor consists of one or more scripts, which are executed when the website is executed. The scripts can either be integrated directly into the website or via references.
  • the sensor 60 when executed, checks the web page for modifications.
  • the current Document Object Model is checked for modifications, in particular by comparing a stored copy of the unmodified Document Object Model with the current Document Object Model.
  • the senor When executed, the sensor sends a report to the acceptance system 70.
  • the report contains on the one hand the identifier of the delivery process, and on the other hand a message about whether modifications have been found or not. If modifications have been found, either the modified or added elements of the web page are sent completely to the acceptance system 70, or the entire modified web page. A closer analysis of the modifications by the sensor 60 is therefore not necessary and can be done in the evaluation system 80.
  • the sensor 60 is configurable so that web page review can be limited to portions of the web page. This avoids that areas that are not critical and that often undergo modifications are also checked and therefore lead to superfluous messages of modifications.
  • the senor may include a filter function to exclude frequently occurring modifications, for example as a result of a whitelist. This also avoids unnecessary notifications of modifications that are known to be unproblematic.
  • the sensor 60 performs in its execution on the client system 20 actions, after which it can not be removed by subsequent modifications. In particular, corresponding attributes in the Document Object Model are specified in such a way that a subsequent modification is no longer possible.
  • the reference proxy 90 serves to obscure the references to external targets contained in the original web page as well as in the sensor in order to make it difficult to distinguish between the elements of the web page and the sensor.
  • the reference proxy 90 is arranged between the integration system 40 and the client system 20.
  • the integrated sensor web page is delivered by the integration system 40 to the reference proxy 90, which replaces all the original references contained therein with new references targeting the reference proxy 90.
  • the new references will be given randomly.
  • references to the original destination are then passed from the reference proxy 90 to the original destination. If these are references from the original website, they will be forwarded to the original destination in server system 10. On the other hand, if they are references from the sensor, their original destination is usually the acceptance system 70, where they are forwarded.
  • the references are in particular URLs to external code, in particular to JavaScript.
  • the references of the original code and the sensor code are no longer distinguishable.
  • the integration system 40 sends a heartbeat to the acceptance system 70, which is stored by the acceptance system 70.
  • the stored information contain on the one hand an identifier of the delivery process, and on the other hand time information.
  • the senor 60 when executed, transmits a report to the acceptance system 70, which can be assigned to the heartbeats of the integration via the identifier.
  • the acceptance system 70 can therefore detect whether the integration of the sensor could be performed by the integration system, and whether the execution of the sensor on the client system 20 has occurred. In particular, the acceptance system 70 checks at regular intervals whether all the sensors that were delivered according to the heartbeats delivered by the integration system 40 have actually been executed. A missing report when the integration heartbeat has been performed is interpreted by the acceptance system 70 as preventing the processing / execution of the sensor by modifications of the web page. A missing report is therefore regarded as a modification of the website and treated accordingly.
  • the recording system 70 accepts the information contained in the report of the sensor 60 and stores it. Furthermore, the corresponding information is transferred to the evaluation system 80 in the form of an analysis job.
  • Evaluation system (classification) The data for modification stored by the acceptance system 70 are examined by the evaluation system 80 for attack patterns. Furthermore, the modifications are classified. For each identified modification, the result of the analysis may be as follows:
  • the individual modifications may be analyzed and / or classified by one or more of the following static evaluation methods: i) blacklist
  • a comparison of the detected modifications with known, harmful modifications can be made.
  • the comparison can be performed as a direct comparison, as a comparison after normalization or as a similarity comparison.
  • references contained in the modified component can be analyzed.
  • a dynamic evaluation of the modified component can take place by simulating the processing or execution (sandboxing).
  • the evaluation system 80 calculates a risk value of the modified web page, ie, a value that quantizes the overall risk posed by the modified web page.
  • the individual modifications are preferably analyzed, classified and then assigned a single hazard value for each individual modification. Based on the individual hazard values, the risk value of the modified website is then determined in its entirety.
  • the risk value is reported by the evaluation system 80 to the server system 10, together with the identifier of the delivery process.
  • the service operator can then take appropriate measures. This can either be automated or done by hand.
  • the measures are preferably not only made dependent on the risk value created by the evaluation system 80, but also on further data, for example on the usual user behavior.
  • the inventive system can be used to increase security in a variety of applications, particularly webmailers, payment services, online shops and social networks.
  • the present invention thereby provides a protection technology which, although performed on the client, can recognize the modifications made in this area, which however can be delivered by the service operator without the customer having to act independently.
  • the integration of the sensor takes place on the server side or by an intermediate proxy, and is not recognizable for the customer (and possible attackers).

Abstract

L'invention concerne un système de surveillance de l'intégrité d'un composant délivré par un système serveur à un système client et pouvant être traité et/ou exécuté sur le système client, lequel comprend un système d'intégration et un capteur, le système d'intégration intégrant le capteur au composant délivré par le système serveur au système client, et le capteur étant conçu de telle sorte que ledit capteur est exécuté lors du traitement et/ou de l'exécution du composant et détecte des modifications dudit composant.
EP16721076.4A 2015-04-21 2016-04-18 Système et procédé pour surveiller l'intégrité d'un composant délivré par un système serveur à un système client Pending EP3286683A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102015005071.0A DE102015005071A1 (de) 2015-04-21 2015-04-21 System und Verfahren zur Überwachung der Integrität einer von einem Serversystem an ein Clientsystem ausgelieferten Komponente
PCT/EP2016/000630 WO2016169646A1 (fr) 2015-04-21 2016-04-18 Système et procédé pour surveiller l'intégrité d'un composant délivré par un système serveur à un système client

Publications (1)

Publication Number Publication Date
EP3286683A1 true EP3286683A1 (fr) 2018-02-28

Family

ID=55948779

Family Applications (1)

Application Number Title Priority Date Filing Date
EP16721076.4A Pending EP3286683A1 (fr) 2015-04-21 2016-04-18 Système et procédé pour surveiller l'intégrité d'un composant délivré par un système serveur à un système client

Country Status (4)

Country Link
US (1) US10831887B2 (fr)
EP (1) EP3286683A1 (fr)
DE (1) DE102015005071A1 (fr)
WO (1) WO2016169646A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106779717B (zh) * 2016-11-30 2021-03-30 宇龙计算机通信科技(深圳)有限公司 一种支付认证方法及装置
US10796019B2 (en) * 2018-07-17 2020-10-06 Dell Products L.P. Detecting personally identifiable information (PII) in telemetry data
US11507880B2 (en) 2019-06-25 2022-11-22 Kyndryl, Inc. Automatic and continuous monitoring and remediation of API integrations

Family Cites Families (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5951300A (en) * 1997-03-10 1999-09-14 Health Hero Network Online system and method for providing composite entertainment and health information
US7509687B2 (en) * 2002-03-16 2009-03-24 Trustedflow Systems, Inc. Remotely authenticated operation method
US8806617B1 (en) * 2002-10-14 2014-08-12 Cimcor, Inc. System and method for maintaining server data integrity
EP1549012A1 (fr) * 2003-12-24 2005-06-29 DataCenterTechnologies N.V. Procédé et sytème d'identification de contenu de fichiers dans un réseau informatique
CN101065716A (zh) * 2004-11-22 2007-10-31 诺基亚公司 用于验证电子设备的平台软件的完整性的方法和设备
WO2007035327A2 (fr) * 2005-09-20 2007-03-29 Matsushita Electric Industrial Co., Ltd. Systeme et procede permettant d'obtenir un modele de confiance entre composants dans une composition de service poste a poste
US8307276B2 (en) * 2006-05-19 2012-11-06 Symantec Corporation Distributed content verification and indexing
US20080005095A1 (en) * 2006-06-28 2008-01-03 Microsoft Corporation Validation of computer responses
US7715448B2 (en) * 2007-06-06 2010-05-11 Red Aril, Inc. Network device for embedding data in a data packet sequence
US8782801B2 (en) * 2007-08-15 2014-07-15 Samsung Electronics Co., Ltd. Securing stored content for trusted hosts and safe computing environments
KR101377014B1 (ko) * 2007-09-04 2014-03-26 삼성전자주식회사 면역 데이터베이스 기반의 악성코드 진단 방법 및 시스템
FR2931613B1 (fr) * 2008-05-22 2010-08-20 Inst Nat Rech Inf Automat Dispositif et procede de verification d'integrite d'objets physiques
US8387129B2 (en) * 2008-06-09 2013-02-26 Qualcomm Incorporated Method and apparatus for verifying data packet integrity in a streaming data channel
US8572692B2 (en) * 2008-06-30 2013-10-29 Intel Corporation Method and system for a platform-based trust verifying service for multi-party verification
US8316387B2 (en) * 2008-08-28 2012-11-20 Microsoft Corporation Exposure of remotely invokable method through a webpage to an application outside web browser
US8931084B1 (en) 2008-09-11 2015-01-06 Google Inc. Methods and systems for scripting defense
US8677481B1 (en) 2008-09-30 2014-03-18 Trend Micro Incorporated Verification of web page integrity
US8850526B2 (en) * 2010-06-23 2014-09-30 K7 Computing Private Limited Online protection of information and resources
DE102011015123A1 (de) * 2011-03-25 2012-09-27 G Data Software Ag Kommunikationssystem mit Sicherheitsvorrichtung, Sicherheitsvorrichtung sowie Verfahren hierzu
US20120272317A1 (en) * 2011-04-25 2012-10-25 Raytheon Bbn Technologies Corp System and method for detecting infectious web content
US20120323700A1 (en) * 2011-06-20 2012-12-20 Prays Nikolay Aleksandrovich Image-based captcha system
US9734503B1 (en) * 2011-06-21 2017-08-15 Google Inc. Hosted product recommendations
US9374369B2 (en) * 2012-12-28 2016-06-21 Lookout, Inc. Multi-factor authentication and comprehensive login system for client-server networks
US9298681B2 (en) * 2013-01-03 2016-03-29 International Business Machines Corporation Dynamic webpage change animation
US10108590B2 (en) * 2013-05-03 2018-10-23 International Business Machines Corporation Comparing markup language files
KR102089513B1 (ko) * 2014-03-19 2020-03-16 한국전자통신연구원 모바일 저장장치에 기반한 소프트웨어 검증 시스템 및 그 방법
US10395032B2 (en) * 2014-10-03 2019-08-27 Nokomis, Inc. Detection of malicious software, firmware, IP cores and circuitry via unintended emissions
US9294492B1 (en) * 2015-03-10 2016-03-22 Iboss, Inc. Software program identification based on program behavior
US9350750B1 (en) * 2015-04-03 2016-05-24 Area 1 Security, Inc. Distribution of security rules among sensor computers

Also Published As

Publication number Publication date
US10831887B2 (en) 2020-11-10
US20180157830A1 (en) 2018-06-07
DE102015005071A1 (de) 2016-10-27
WO2016169646A1 (fr) 2016-10-27

Similar Documents

Publication Publication Date Title
DE10249428B4 (de) Verfahren zum Definieren der Sicherheitsanfälligkeiten eines Computersystems
DE112010003454B4 (de) Bedrohungserkennung in einem Datenverarbeitungssystem
DE60115615T2 (de) System, einrichtung und verfahren zur schnellen paketfilterung und -verarbeitung
EP2981926B1 (fr) Dispositif de stockage de données permettant un échange de données protégé entre différentes zones de sécurité
DE102011056502A1 (de) Verfahren und Vorrichtung zur automatischen Erzeugung von Virenbeschreibungen
DE10249427A1 (de) System und Verfahren zum Definieren des Sicherheitszustands eines Computersystems
DE602006000878T2 (de) Verfahren zur Steuerung eines Ressourcenzugriffs eines Prozesses durch einen Elternprozess
EP3430558B1 (fr) Détection d'un écart entre un état de sécurité d'un dispositif de calcul et un état de sécurité théorique
DE102005021064B4 (de) Verfahren und Vorrichtung zum Schutz gegen Buffer Overrun-Attacken
EP2362321A1 (fr) Procédé et système destinés à la reconnaissance d'un logiciel nuisible
WO2016169646A1 (fr) Système et procédé pour surveiller l'intégrité d'un composant délivré par un système serveur à un système client
EP3682610A1 (fr) Procédé et dispositif de détection d'une attaque sur un système de communication série
DE102006036111B3 (de) Verfahren und Prüfsystem zum sicheren Übertragen einer Nachricht von einer ersten Zone in eine zweite Zone
DE102012108866A1 (de) Verfahren zum sicheren Bedienen eines Feldgerätes
EP3641231A1 (fr) Procédé et dispositif de surveillance d'une communication de données
CH715183A1 (de) Penetrationstestverfahren und Computerprogramm zum Prüfen der Vulnerabilität eines Computersystems.
EP3588340B1 (fr) Procédé mis en uvre par ordinateur pour faire fonctionner un dispositif de mémorisation de données
EP3373180A1 (fr) Procédé et ordinateur comprenant une sécurisation contre les menaces cybercriminelles
DE602004001293T2 (de) Programmintegritätsprüfung mittels Statistiken
DE102007059798B3 (de) Verfahren zur Verschlüsselung von ausführbarem Programmcode, insbesondere als Schutz gegen unautorisierte Vervielfältigung, Manipulation und unautorisierten Betrieb
EP4329242A1 (fr) Procédé et ensemble système permettant d'établir de manière proactive une configuration de sécurité
DE102021131272A1 (de) Verfahren zur Steuerung des Zugriffs eines Users auf ein Netzwerk, Netzwerk und Computerprogramm
EP3531326A1 (fr) Procédé de fonctionnement d'un réseau doté d'une pluralité de serveurs
DE10055118A1 (de) Offenbarendes Verfahren zur Überwachung ausführbarer oder interpretierbarer Daten in digitalen Datenverarbeitungsanlagen mittels gerätetechnischer Einrichtungen
EP4329243A1 (fr) Procédé mis en uvre par ordinateur permettant de sécuriser de manière automatisée un système de calcul

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20170907

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20200213

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 9/40 20220101ALI20240117BHEP

Ipc: G06F 21/53 20130101ALI20240117BHEP

Ipc: G06F 21/54 20130101AFI20240117BHEP